.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------. ! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV ! `-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
d9c6515fd0fb3cd14b4bb4d11ecda78602d17f370780a4b9ee006a9830106213
Date...........: 2018-05-16
Family.........: WinPot
File name......: Dumped_.exe
File size......: 88.00 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Documentation..: https://medium.com/@pushret/atmjackpot-malware-en-b0cdb29e7ce
Additional note: Unpacked of c3a5c8e9195163cef8e0e70bd8f3d49c8048e37af7c969341e1753aee63df0ae
Fill 0x402431 with NOP'S to bufgix it.
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 64 0x40
blocks_in_file: 1 1
num_relocs: 0 0
header_paragraphs: 2 2
min_extra_paragraphs: 4 4
max_extra_paragraphs: 65535 0xffff
ss: 2 2
sp: 64 0x40
checksum: 0 0
ip: 14 0xe
cs: 0 0
reloc_table_offset: 28 0x1c
overlay_number: 0 0
reserved0: 3706015365755568128 0x336e695700000000
oem_id: 8242 0x2032
oem_info: 28271 0x6e6f
reserved2: 220297580 0xd21796c
reserved3: 3020825610 0xb40e240a
reserved4: 47625 0xba09
reserved5: 3089222943 0xb821cd1f
reserved6: 567102465 0x21cd4c01
lfanew: 64 0x40
=== DOS STUB ===
00000000: 57 69 6e 33 32 20 6f 6e 6c 79 21 0d 0a 24 0e b4 |Win32 only!..$..|
00000010: 09 ba 00 00 1f cd 21 b8 01 4c cd 21 40 00 00 00 |......!..L.!@...|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 11 0xb
TimeDateStamp: "2026-01-14 09:44:18"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 783 0x30f RELOCS_STRIPPED, EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED
32BIT_MACHINE, DEBUG_STRIPPED
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.24
SizeOfCode: 8192 0x2000
SizeOfInitializedData: 20992 0x5200
SizeOfUninitializedData: 512 0x200
AddressOfEntryPoint: 4096 0x1000
BaseOfCode: 4096 0x1000
BaseOfData: 12288 0x3000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 4096 0x1000
OperatingSystemVersion: 4.0
ImageVersion: 1.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 90112 0x16000
SizeOfHeaders: 4096 0x1000
CheckSum: 67975 0x10987
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 0 0
SizeOfStackReserve: 2097152 0x200000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 15000 size:0x 50
RESOURCE rva:0x a000 size:0x 1a18
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 0 size:0x 0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x f6d9 size:0x 18
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 0 size:0x 0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
1000 2000 2000 1000 0 0 0 0 c0000040 RW- IDATA
3000 1000 1000 3000 0 0 0 0 c0000040 RW- IDATA
4000 1000 1000 4000 0 0 0 0 c0000040 RW- IDATA
5000 1000 1000 5000 0 0 0 0 c0000040 RW- IDATA
6000 1000 1000 6000 0 0 0 0 c0000040 RW- IDATA
7000 1000 1000 7000 0 0 0 0 c0000040 RW- IDATA
8000 1000 1000 8000 0 0 0 0 c0000040 RW- IDATA
9000 1000 1000 9000 0 0 0 0 c0000040 RW- IDATA
a000 2000 2000 a000 0 0 0 0 c0000040 RW- IDATA
c000 9000 9000 c000 0 0 0 0 c0000040 RW- IDATA
.mackt 15000 1000 1000 15000 0 0 0 0 e0000060 RWX CODE IDATA
=== TLS ===
RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS
409001 40901c 414000 408004 0 0
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0xa0e8 0 0 5672 ICON #1
0xb710 0 0 754 DIALOG #100
0xba04 0 0 20 GROUP_ICON #102
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
kernel32.dll 32 CloseHandle
kernel32.dll 6d CreateThread
kernel32.dll 80 DeleteCriticalSection
kernel32.dll 97 EnterCriticalSection
kernel32.dll b7 ExitProcess
kernel32.dll f1 FreeLibrary
kernel32.dll 10a GetCommandLineA
kernel32.dll 169 GetLastError
kernel32.dll 16b GetLocalTime
kernel32.dll 177 GetModuleHandleA
kernel32.dll 199 GetProcAddress
kernel32.dll 1af GetStartupInfoA
kernel32.dll 219 InitializeCriticalSection
kernel32.dll 244 LeaveCriticalSection
kernel32.dll 245 LoadLibraryA
kernel32.dll 338 SetUnhandledExceptionFilter
kernel32.dll 34d TerminateThread
kernel32.dll 353 TlsGetValue
kernel32.dll 376 VirtualProtect
kernel32.dll 378 VirtualQuery
kernel32.dll 380 WaitForSingleObject
msvcrt.dll 161 _itoa
msvcrt.dll 18c _mbsdup
msvcrt.dll 6f __getmainargs
msvcrt.dll 85 __p__environ
msvcrt.dll 87 __p__fmode
msvcrt.dll 9a __set_app_type
msvcrt.dll c9 _cexit
msvcrt.dll 140 _iob
msvcrt.dll 1b5 _onexit
msvcrt.dll 1e0 _setmode
msvcrt.dll 27c abort
msvcrt.dll 283 atexit
msvcrt.dll 285 atoi
msvcrt.dll 288 calloc
msvcrt.dll 2a6 free
msvcrt.dll 2ae fwrite
msvcrt.dll 2df memcpy
msvcrt.dll 2f7 signal
msvcrt.dll 2fa sprintf
msvcrt.dll 2fd sscanf
msvcrt.dll 30f strtok
msvcrt.dll 321 vfprintf
user32.dll 9f DialogBoxParamA
user32.dll c5 EnableWindow
user32.dll c7 EndDialog
user32.dll 112 GetDlgItem
user32.dll 1be LoadImageA
user32.dll 202 PostQuitMessage
user32.dll 23c SendMessageA
user32.dll 27b SetTimer
=== Strings ===
File pos Mem pos ID Text
======== ======= == ====
000000000020 000000400020 0 Win32 only!
0000000002C8 0000004002C8 0 .mackt
000000003008 000000403008 0 CSCCNG
000000003010 000000403010 0 CSCWCNG
000000004000 000000404000 0 libgcj-16.dll
00000000400E 00000040400E 0 _Jv_RegisterClasses
000000004026 000000404026 0 %1[0-9]NDV=%8[0-9],
00000000403A 00000040403A 0 %1[0-9]NDV=%8[0-9]
00000000404D 00000040404D 0 %1[0-9]VAL=%8[0-9]
000000004060 000000404060 0 CscCngOpen
00000000406B 00000040406B 0 CscCngStatusRead
00000000407C 00000040407C 0 CscCngClose
000000004088 000000404088 0 CscCngDispense
000000004097 000000404097 0 CscCngTransport
0000000040A7 0000004040A7 0 CscCngReset
0000000040B3 0000004040B3 0 Open error: 0x80
0000000040C4 0000004040C4 0 %d,%02d;
0000000040CD 0000004040CD 0 Getting %d note(s) from %d
0000000040E8 0000004040E8 0 Dispense error: 0x80
0000000040FD 0000004040FD 0 Transport
000000004107 000000404107 0 Transport error: 0x80
00000000411D 00000040411D 0 Transport to customer
000000004133 000000404133 0 Transport error: 0x8000
00000000414B 00000040414B 0 Dispence Success
00000000415F 00000040415F 0 Thread error!
00000000416D 00000040416D 0 Thread open.
000000004180 000000404180 0 Mingw runtime failure:
000000004198 000000404198 0 VirtualQuery failed for %d bytes at address %p
0000000041CC 0000004041CC 0 Unknown pseudo relocation protocol version %d.
000000004200 000000404200 0 Unknown pseudo relocation bit size %d.
00000000422C 00000040422C 0 GCC: (tdm-1) 5.1.0
000000004240 000000404240 0 GCC: (tdm-1) 5.1.0
000000004254 000000404254 0 GCC: (tdm-1) 5.1.0
000000004268 000000404268 0 GCC: (tdm-1) 5.1.0
00000000A53D 00000040A53D 0 &&&&&&&&&
00000000A5A5 00000040A5A5 0 QQQQQ
00000000A5BB 00000040A5BB 0 &&&&&&&&&
00000000A5DA 00000040A5DA 0 ?????????QQQQ
00000000A5FA 00000040A5FA 0 QQQ?????????
00000000A623 00000040A623 0 NNNNN:::::::::::::::::::::NNN
00000000A659 00000040A659 0 [[[[[
00000000A7C1 00000040A7C1 0 =======
00000000A810 00000040A810 0 QQQ :
00000000A850 00000040A850 0 QQ? :
00000000A890 00000040A890 0 QQ? :\
00000000AC9A 00000040AC9A 0 ]]]]]]]]
00000000ACAC 00000040ACAC 0 ]]]]]]]]]
00000000ACEB 00000040ACEB 0 LL_____
00000000ACF3 00000040ACF3 0 LLLLX
00000000ACFC 00000040ACFC 0 VXXXLXXXXXXXV
00000000AE2B 00000040AE2B 0 '''''''''''''
00000000AE5A 00000040AE5A 0 YYY::Y:NNNNddcccd
00000000B028 00000040B028 0 #N#ff
00000000B1A0 00000040B1A0 0 N*++BBB*
00000000B215 00000040B215 0 iNi##
00000000B2A2 00000040B2A2 0 :bgbf
00000000B2B1 00000040B2B1 0 iAcfb
00000000B2E6 00000040B2E6 0 & Q#
00000000B323 00000040B323 0 bAp88(
00000000B354 00000040B354 0 Ncdc:N
File pos Mem pos ID Text
======== ======= == ====
00000000B423 00000040B423 0 &&&&&
00000000B47F 00000040B47F 0
00000000C028 00000040C028 0 Kernel32.dll
00000000C041 00000040C041 0 LoadLibraryA
00000000C04F 00000040C04F 0 GetProcAddress
00000000C41A 00000040C41A 0 Microsoft Base Cryptographic Provider v1.0
00000000EFE1 00000040EFE1 0 5enad
00000000F0B2 00000040F0B2 0 5enad
00000000F72D 00000040F72D 0 atmAttack.exe
00000000F73B 00000040F73B 0 ND.EXE
000000015064 000000415064 0 kernel32.dll
000000015074 000000415074 0 CloseHandle
000000015082 000000415082 0 CreateThread
000000015092 000000415092 0 DeleteCriticalSection
0000000150AA 0000004150AA 0 EnterCriticalSection
0000000150C2 0000004150C2 0 ExitProcess
0000000150D0 0000004150D0 0 FreeLibrary
0000000150DE 0000004150DE 0 GetCommandLineA
0000000150F0 0000004150F0 0 GetLastError
000000015100 000000415100 0 GetLocalTime
000000015110 000000415110 0 GetModuleHandleA
000000015124 000000415124 0 GetProcAddress
000000015136 000000415136 0 GetStartupInfoA
000000015148 000000415148 0 InitializeCriticalSection
000000015164 000000415164 0 LeaveCriticalSection
00000001517C 00000041517C 0 LoadLibraryA
00000001518C 00000041518C 0 SetUnhandledExceptionFilter
0000000151AA 0000004151AA 0 TerminateThread
0000000151BC 0000004151BC 0 TlsGetValue
0000000151CA 0000004151CA 0 VirtualProtect
0000000151DC 0000004151DC 0 VirtualQuery
0000000151EC 0000004151EC 0 WaitForSingleObject
000000015200 000000415200 0 msvcrt.dll
00000001520E 00000041520E 0 _itoa
000000015216 000000415216 0 _mbsdup
00000001521E 00000041521E 0 msvcrt.dll
00000001522C 00000041522C 0 __getmainargs
00000001523C 00000041523C 0 __p__environ
00000001524C 00000041524C 0 __p__fmode
00000001525A 00000041525A 0 __set_app_type
00000001526C 00000041526C 0 _cexit
00000001527E 00000041527E 0 _onexit
000000015288 000000415288 0 _setmode
000000015294 000000415294 0 abort
00000001529C 00000041529C 0 atexit
0000000152AE 0000004152AE 0 calloc
0000000152C0 0000004152C0 0 fwrite
0000000152CA 0000004152CA 0 memcpy
0000000152D4 0000004152D4 0 signal
0000000152DE 0000004152DE 0 sprintf
0000000152E8 0000004152E8 0 sscanf
0000000152F2 0000004152F2 0 strtok
0000000152FC 0000004152FC 0 vfprintf
000000015306 000000415306 0 user32.dll
000000015314 000000415314 0 DialogBoxParamA
000000015326 000000415326 0 EnableWindow
000000015336 000000415336 0 EndDialog
000000015342 000000415342 0 GetDlgItem
000000015350 000000415350 0 LoadImageA
00000001535E 00000041535E 0 PostQuitMessage
File pos Mem pos ID Text
======== ======= == ====
000000015370 000000415370 0 SendMessageA
000000015380 000000415380 0 SetTimer
00000000B726 00000040B726 0 WinPot
00000000B736 00000040B736 0 Ms Shell Dlg
000000000020 000000400020 0 Win32 only!
0000000002C8 0000004002C8 0 .mackt
000000003008 000000403008 0 CSCCNG
000000003010 000000403010 0 CSCWCNG
000000004000 000000404000 0 libgcj-16.dll
00000000400E 00000040400E 0 _Jv_RegisterClasses
000000004026 000000404026 0 %1[0-9]NDV=%8[0-9],
00000000403A 00000040403A 0 %1[0-9]NDV=%8[0-9]
00000000404D 00000040404D 0 %1[0-9]VAL=%8[0-9]
000000004060 000000404060 0 CscCngOpen
00000000406B 00000040406B 0 CscCngStatusRead
00000000407C 00000040407C 0 CscCngClose
000000004088 000000404088 0 CscCngDispense
000000004097 000000404097 0 CscCngTransport
0000000040A7 0000004040A7 0 CscCngReset
0000000040B3 0000004040B3 0 Open error: 0x80
0000000040C4 0000004040C4 0 %d,%02d;
0000000040CD 0000004040CD 0 Getting %d note(s) from %d
0000000040E8 0000004040E8 0 Dispense error: 0x80
0000000040FD 0000004040FD 0 Transport
000000004107 000000404107 0 Transport error: 0x80
00000000411D 00000040411D 0 Transport to customer
000000004133 000000404133 0 Transport error: 0x8000
00000000414B 00000040414B 0 Dispence Success
00000000415F 00000040415F 0 Thread error!
00000000416D 00000040416D 0 Thread open.
000000004180 000000404180 0 Mingw runtime failure:
000000004198 000000404198 0 VirtualQuery failed for %d bytes at address %p
0000000041CC 0000004041CC 0 Unknown pseudo relocation protocol version %d.
000000004200 000000404200 0 Unknown pseudo relocation bit size %d.
00000000422C 00000040422C 0 GCC: (tdm-1) 5.1.0
000000004240 000000404240 0 GCC: (tdm-1) 5.1.0
000000004254 000000404254 0 GCC: (tdm-1) 5.1.0
000000004268 000000404268 0 GCC: (tdm-1) 5.1.0
00000000A53D 00000040A53D 0 &&&&&&&&&
00000000A5A5 00000040A5A5 0 QQQQQ
00000000A5BB 00000040A5BB 0 &&&&&&&&&
00000000A5DA 00000040A5DA 0 ?????????QQQQ
00000000A5FA 00000040A5FA 0 QQQ?????????
00000000A623 00000040A623 0 NNNNN:::::::::::::::::::::NNN
00000000A659 00000040A659 0 [[[[[
00000000A7C1 00000040A7C1 0 =======
00000000A810 00000040A810 0 QQQ :
00000000A850 00000040A850 0 QQ? :
00000000A890 00000040A890 0 QQ? :\
00000000AC9A 00000040AC9A 0 ]]]]]]]]
00000000ACAC 00000040ACAC 0 ]]]]]]]]]
00000000ACEB 00000040ACEB 0 LL_____
00000000ACF3 00000040ACF3 0 LLLLX
00000000ACFC 00000040ACFC 0 VXXXLXXXXXXXV
00000000AE2B 00000040AE2B 0 '''''''''''''
00000000AE5A 00000040AE5A 0 YYY::Y:NNNNddcccd
00000000B028 00000040B028 0 #N#ff
00000000B1A0 00000040B1A0 0 N*++BBB*
00000000B215 00000040B215 0 iNi##
00000000B2A2 00000040B2A2 0 :bgbf
File pos Mem pos ID Text
======== ======= == ====
00000000B2B1 00000040B2B1 0 iAcfb
00000000B2E6 00000040B2E6 0 & Q#
00000000B323 00000040B323 0 bAp88(
00000000B354 00000040B354 0 Ncdc:N
00000000B423 00000040B423 0 &&&&&
00000000B47F 00000040B47F 0
00000000C028 00000040C028 0 Kernel32.dll
00000000C041 00000040C041 0 LoadLibraryA
00000000C04F 00000040C04F 0 GetProcAddress
00000000C41A 00000040C41A 0 Microsoft Base Cryptographic Provider v1.0
00000000EFE1 00000040EFE1 0 5enad
00000000F0B2 00000040F0B2 0 5enad
00000000F72D 00000040F72D 0 atmAttack.exe
00000000F73B 00000040F73B 0 ND.EXE
000000015064 000000415064 0 kernel32.dll
000000015074 000000415074 0 CloseHandle
000000015082 000000415082 0 CreateThread
000000015092 000000415092 0 DeleteCriticalSection
0000000150AA 0000004150AA 0 EnterCriticalSection
0000000150C2 0000004150C2 0 ExitProcess
0000000150D0 0000004150D0 0 FreeLibrary
0000000150DE 0000004150DE 0 GetCommandLineA
0000000150F0 0000004150F0 0 GetLastError
000000015100 000000415100 0 GetLocalTime
000000015110 000000415110 0 GetModuleHandleA
000000015124 000000415124 0 GetProcAddress
000000015136 000000415136 0 GetStartupInfoA
000000015148 000000415148 0 InitializeCriticalSection
000000015164 000000415164 0 LeaveCriticalSection
00000001517C 00000041517C 0 LoadLibraryA
00000001518C 00000041518C 0 SetUnhandledExceptionFilter
0000000151AA 0000004151AA 0 TerminateThread
0000000151BC 0000004151BC 0 TlsGetValue
0000000151CA 0000004151CA 0 VirtualProtect
0000000151DC 0000004151DC 0 VirtualQuery
0000000151EC 0000004151EC 0 WaitForSingleObject
000000015200 000000415200 0 msvcrt.dll
00000001520E 00000041520E 0 _itoa
000000015216 000000415216 0 _mbsdup
00000001521E 00000041521E 0 msvcrt.dll
00000001522C 00000041522C 0 __getmainargs
00000001523C 00000041523C 0 __p__environ
00000001524C 00000041524C 0 __p__fmode
00000001525A 00000041525A 0 __set_app_type
00000001526C 00000041526C 0 _cexit
00000001527E 00000041527E 0 _onexit
000000015288 000000415288 0 _setmode
000000015294 000000415294 0 abort
00000001529C 00000041529C 0 atexit
0000000152AE 0000004152AE 0 calloc
0000000152C0 0000004152C0 0 fwrite
0000000152CA 0000004152CA 0 memcpy
0000000152D4 0000004152D4 0 signal
0000000152DE 0000004152DE 0 sprintf
0000000152E8 0000004152E8 0 sscanf
0000000152F2 0000004152F2 0 strtok
0000000152FC 0000004152FC 0 vfprintf
000000015306 000000415306 0 user32.dll
000000015314 000000415314 0 DialogBoxParamA
000000015326 000000415326 0 EnableWindow
File pos Mem pos ID Text
======== ======= == ====
000000015336 000000415336 0 EndDialog
000000015342 000000415342 0 GetDlgItem
000000015350 000000415350 0 LoadImageA
00000001535E 00000041535E 0 PostQuitMessage
000000015370 000000415370 0 SendMessageA
000000015380 000000415380 0 SetTimer
00000000B726 00000040B726 0 WinPot
00000000B736 00000040B736 0 Ms Shell Dlg
=== DOWNLOAD ===
Mirror provided by vx-underground.org, thx!